Skip to content

Control 1.1: Restrict Agent Publishing by Authorization

Overview

Control ID: 1.1 Control Name: Restrict Agent Publishing by Authorization Regulatory Reference: FINRA 4511, SEC Rule 17a-4, GLBA 501(b) Setup Time: 15-30 min

Scope (US-only): This control is written for US-only tenants and environments. Use United States tenant geo where applicable and deploy Power Platform environments in US regions. Do not use this control as-is for cross-border operations without a data residency and regulatory review.

In-scope surfaces (as applicable):

  • Copilot Studio authoring and publishing
  • Power Platform Admin Center (PPAC) environment access control and sharing limits
  • Microsoft 365 integrated surfaces/channels used to expose agents (for example, Microsoft Teams / Microsoft 365 publish targets available in your tenant)

Critical Technical Limitation: Agent Creation Cannot Be Disabled

Important

Microsoft does not provide a native toggle to disable agent creation. Per Microsoft Learn documentation: "You can't disable agent creation. Our guidance is to use data policies to disable anyone from chatting with that agent." (Source)

This means the governance strategy must shift from prevention to containment:

Strategy Approach Effect
Block Publishing DLP policies block all 6 channel connectors Agents exist but cannot be deployed
Restrict Sharing Disable "Share with Everyone" Agents cannot be broadly distributed
Route Away Environment routing to governed environments Makers diverted from default environment

Sterile Default Environment Strategy

Since the Default environment grants all licensed users the Environment Maker role (which cannot be removed), implement a "Sterile Containment" approach:

Step 1: Block All Publishing Channels via DLP

Create a DLP policy scoped to the Default environment that blocks all 6 Copilot Studio channel connectors:

  1. Direct Line channels in Copilot Studio
  2. Microsoft Teams + M365 Channel in Copilot Studio
  3. Facebook channel in Copilot Studio
  4. Omnichannel in Copilot Studio
  5. SharePoint channel in Copilot Studio
  6. WhatsApp channel in Copilot Studio

Effect: Agents created in Default environment cannot be published to any channel, rendering them non-functional beyond the creator's test environment.

Step 2: Disable Broad Sharing

# Prevent "Share with Everyone" capability
$settings = Get-TenantSettings
$settings.powerPlatform.powerApps.disableShareWithEveryone = $true
Set-TenantSettings -RequestBody $settings

Step 3: Enable Environment Routing

Route all makers to governed environments (see Control 2.15: Environment Routing).

Note

Even with routing enabled, users who don't match any routing rule will fall back to the Default environment. Ensure routing rules cover all user populations OR implement the DLP blocking strategy above.

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: Dataverse System Admin, Entra Global Admin, Microsoft Purview Audit (or Compliance) Admin/Reader, Teams Admin (if publishing to Teams)

  • License Required: Power Platform Premium (for Managed Environments)
  • Admin Role: Power Platform Administrator or Environment Administrator in Microsoft Entra ID
  • Dependencies:
  • Control 2.1: Managed Environments - Recommended for governance features
  • Additional Requirements:
  • Security groups configured in Microsoft Entra ID for maker management
  • Environment-level security roles configured

Governance Levels

Baseline (Level 1)

Limit publishing to known makers via security groups; require documented approval for shared agents.

Central publishing workflow + agent registry; enforce environment DLP and connector restrictions.

Regulated/High-Risk (Level 4)

Formal AI governance committee approval + legal review; change control and evidence retention.

Setup & Configuration

Portal-Based Configuration (Primary Method)

Step 0 (Recommended): Establish Release Gates and Separation of Duties

Use environment separation to enforce authorization as a technical control (not just policy):

  1. Create at least DEV/UAT/PROD environments (all in US regions).
  2. Assign roles so that:
  3. Makers can create/edit only in DEV (and optionally UAT).
  4. Publishers/Release Managers (small group) can publish to production channels in PROD.
  5. Compliance approvers cannot publish; they approve via workflow/tickets.
  6. Enforce “no direct publish to PROD” by ensuring unauthorized users do not have maker/admin rights in PROD.

This release-gate model is what makes “restrict publishing by authorization” auditable: a user cannot publish unless they are in the designated publisher group and the change record exists.

Step 1: Create Security Groups for Authorized Makers

  1. Sign in to the Microsoft Entra Admin Center (https://entra.microsoft.com)
  2. Navigate to Identity > Groups > All groups
  3. Select New group
  4. Configure the group:
  5. Group type: Security
  6. Group name: FSI-Agent-Makers-Team or FSI-Agent-Makers-Enterprise
  7. Group description: Authorized makers for team/enterprise agent development
  8. Membership type: Assigned (for strict control) or Dynamic (for automation)
  9. Add authorized users as members
  10. Select Create

Create additional security groups to support segregation of duties and release gates:

  • FSI-Agent-Publishers-Prod (small, named individuals only)
  • FSI-Agent-Approvers-Compliance (approvers only; no maker rights required)
  • FSI-Agent-Admins-Platform (Power Platform/Dataverse admins)

[Screenshot needed: Security group creation in Entra ID]

Step 2: Configure Environment Security Roles

  1. Sign in to the Power Platform Admin Center (https://admin.powerplatform.microsoft.com)
  2. Navigate to Manage > Environments
  3. Select the target environment
  4. Select Settings > Users + permissions > Security roles
  5. Review and configure roles:
  6. Environment Maker: Can create apps and flows (assign to authorized makers only)
  7. Basic User: Can run apps but not create (for end users)
  8. System Administrator: Full control (limit to admins only)
  9. Remove Environment Maker role from unauthorized users

Recommended minimum assignments by environment:

  • DEV: FSI-Agent-Makers-* = Environment Maker; FSI-Agent-Admins-Platform = System Administrator
  • UAT: FSI-Agent-Makers-* = (optional) Environment Maker; FSI-Agent-Admins-Platform = System Administrator
  • PROD: FSI-Agent-Publishers-Prod = Environment Maker (or equivalent minimum required to publish); FSI-Agent-Admins-Platform = System Administrator; all other users = Basic User only

If your organization requires stronger separation, restrict PROD so only FSI-Agent-Publishers-Prod can edit/publish agents and keep general “maker” rights out of PROD entirely.

[Screenshot needed: Security roles assignment in Power Platform]

Step 3: Restrict Copilot Studio Access

  1. In Power Platform Admin Center, select the environment
  2. Navigate to Settings > Features
  3. Configure the following:
  4. Who can create and edit Copilots: Select Only specific security groups
  5. Add the FSI-Agent-Makers security group(s)
  6. Select Save

Hardening notes:

  • Apply this setting in each environment where Copilot Studio is enabled.
  • In PROD, prefer restricting creation/editing to FSI-Agent-Publishers-Prod (or a dedicated production maker group) rather than broad maker groups.

[Screenshot needed: Copilot Studio access restriction settings]

Step 4: Configure Maker Sharing Restrictions (Team/Enterprise)

  1. In Power Platform Admin Center, navigate to Manage > Environments
  2. Select your environment > ... (ellipsis) > Enable Managed Environments (if not already)
  3. Configure Limit sharing:
  4. For team collaboration: Exclude Sharing to Security Groups
  5. For enterprise managed: Do not allow sharing (strictest)
  6. This prevents unauthorized distribution of agents

If your tenant uses Microsoft 365/Teams publish targets, treat those as “distribution” and apply the same principle: only the production publisher group should be able to publish to broad channels.

Configuration Matrix by Governance Level:

Setting Baseline (Personal) Recommended (Team) Regulated (Enterprise)
Security groups Optional Required Required + approval
Environment Maker role Default access Restricted to group Restricted + logged
Copilot Studio access All users Authorized groups Authorized + reviewed
Sharing restrictions None Exclude sharing to groups No sharing allowed
Approval workflow None Manager approval Governance committee
Publishing audit Basic Enhanced Complete with retention

Step 5: Implement Approval Workflow (Team/Enterprise)

For collaborative and enterprise-managed environments, implement a formal approval process:

  1. Create Approval SharePoint List:
  2. Columns: Agent Name, Creator, Environment, Governance Tier, Approval Status, Approver, Date

  3. Configure permissions for Compliance team review

  4. Create Power Automate Approval Flow (optional automation):

  5. Trigger: When agent is ready for production
  6. Action: Send approval to designated approvers

  7. Outcome: Update registry and notify creator

  8. Document Approval Requirements:

  9. Team collaboration: Manager + Compliance acknowledgment
  10. Enterprise managed: Governance Committee + Legal review + Change Advisory Board

Add explicit release gates (evidence-grade):

  • Gate A (Design & Data Review): agent purpose, data classification, connectors list, and intended publish targets documented
  • Gate B (Security Review): DLP/connector policy confirmation and least-privilege review
  • Gate C (Testing/UAT): functional testing evidence and user acceptance sign-off
  • Gate D (Production Publish Authorization): approval record + change ticket ID required before publishing in PROD

Ensure each gate produces an artifact that can be retained as evidence (see Evidence Pack section).

Microsoft 365 Integrated Surfaces (As Applicable)

If your organization exposes Copilot Studio agents through Microsoft 365 integrated surfaces (for example, Microsoft Teams or Microsoft 365 publish targets available in your tenant), enforce authorization using the same separation-of-duties model:

  1. Only allow publishing to broad channels from the PROD environment.
  2. Restrict PROD maker/publishing rights to FSI-Agent-Publishers-Prod.
  3. If Teams distribution is used, ensure only designated administrators can manage org-wide availability in the Teams admin surface (role assignment is the enforcement mechanism).
  4. Require a change ticket/approval record for any publish that makes an agent broadly discoverable.

Evidence expectation: an auditor should be able to trace a publish event in audit logs back to an approved change record and to a user’s membership in FSI-Agent-Publishers-Prod at the time of publish.

PowerShell Configuration (Alternative Method)

# Prerequisites: Install Power Platform Admin modules
# Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser

# Connect to Power Platform
Add-PowerAppsAccount

# Get the environment
$EnvironmentName = "your-environment-id"

# Get current environment permissions
$envPermissions = Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName $EnvironmentName
$envPermissions | Format-Table PrincipalDisplayName, RoleType, PrincipalType

# Remove Environment Maker role from "All Users" (if assigned)
$allUsersPermission = $envPermissions | Where-Object {
    $_.PrincipalType -eq "Tenant" -and $_.RoleType -eq "EnvironmentMaker"
}
if ($allUsersPermission) {
    Remove-AdminPowerAppEnvironmentRoleAssignment `
        -EnvironmentName $EnvironmentName `
        -RoleId $allUsersPermission.RoleId
    Write-Host "Removed Environment Maker role from All Users" -ForegroundColor Yellow
}

# Add Environment Maker role to authorized security group
$SecurityGroupId = "your-security-group-id"  # Get from Entra ID
Set-AdminPowerAppEnvironmentRoleAssignment `
    -EnvironmentName $EnvironmentName `
    -PrincipalType Group `
    -PrincipalObjectId $SecurityGroupId `
    -RoleName EnvironmentMaker

Write-Host "Environment Maker role assigned to authorized security group" -ForegroundColor Green

# Validation: Check final role assignments
Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName $EnvironmentName |
    Where-Object { $_.RoleType -eq "EnvironmentMaker" } |
    Format-Table PrincipalDisplayName, PrincipalType

Financial Sector Considerations

Regulatory Alignment

Regulation Requirement How This Control Helps
FINRA 4511 Maintain records of authorized activities Only authorized makers can publish; all publishing logged
SEC Rule 17a-4 Record preservation Publishing events captured in audit log for examination
GLBA 501(b) Safeguards for customer data Restricts who can create agents that access customer data
SOX 302 Internal controls Publishing restrictions support segregation of duties

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Any licensed user can create and publish personal agents
  • No approval workflow required
  • Agents cannot be shared broadly
  • Rationale: Low risk, no customer data

Zone 2 (Team Collaboration):

  • Security group membership required to create agents
  • Manager approval required before production use
  • Monthly access reviews recommended
  • Agents can be shared within department only
  • Rationale: Internal data access requires accountability

Zone 3 (Enterprise Managed):

  • Strict security group membership (vetted makers only)
  • Governance Committee approval required
  • Legal review for customer-facing agents
  • Quarterly access certification
  • All publishing subject to change control
  • Rationale: Customer-facing, regulatory examination risk

FSI Implementation Example

Scenario: Broker-dealer implementing agent publishing controls for compliance agents

Security Group Structure:

Group Name Members Permissions
FSI-Agent-Makers-Dev All developers Personal productivity environments only
FSI-Agent-Makers-Team Senior developers + Business Analysts Team collaboration environments
FSI-Agent-Makers-Prod Approved makers (5 people) Enterprise-managed production environments

Approval Workflow:

  1. Developer creates agent in Tier 1: no approval
  2. Developer requests promotion to Tier 2: Manager approval + Compliance check
  3. After UAT, requests promotion to Tier 3: Governance Committee + Legal + CAB
  4. Publishing event logged with approver chain

Documentation Requirements:

  • Agent purpose and business justification
  • Data sources and sensitivity classification
  • Connector usage and security review
  • Approval chain with dates
  • Training completion for creators

Verification & Testing

  1. Attempt to publish as non-authorized maker:
  2. Sign in as a user NOT in the authorized security group
  3. Navigate to Copilot Studio
  4. Verify access is blocked or limited

  5. EXPECTED: Cannot create or publish agents

  6. Publish as authorized maker:

  7. Sign in as a user IN the authorized security group
  8. Create a test agent in the appropriate environment
  9. Verify publishing succeeds
  10. EXPECTED: Can create and publish agents

2a. Attempt to publish to production as a non-publisher (release gate enforcement): - Sign in as a user in FSI-Agent-Makers-* but NOT in FSI-Agent-Publishers-Prod - Access the PROD environment (if they have Basic User access) - Verify they cannot create/edit/publish agents in PROD - EXPECTED: No ability to publish in PROD

  1. Check audit log for publish events:
  2. Navigate to Microsoft Purview portal > Audit
  3. Search for Published bot events
  4. Verify all publishing is logged with user identity
  5. EXPECTED: All attempts logged with user, timestamp, agent details

3a. Correlate publish events to approvals (evidence-grade): - For a production publish, locate the approval record/change ticket ID - Verify the publisher is a member of FSI-Agent-Publishers-Prod - Validate timestamps: approval must pre-date publish - EXPECTED: Every production publish maps to an approval + authorized publisher

  1. Test sharing restrictions (team/enterprise):
  2. Try to share an agent with "Everyone" or unauthorized group
  3. EXPECTED: Sharing blocked per Managed Environment settings

4a. If Teams/M365 distribution is used: - Attempt to make an agent broadly available using a non-admin/non-publisher account - EXPECTED: Unable to complete org-wide distribution; restricted by role membership and PROD access

EXPECTED: Only authorized makers can publish; all attempts logged

Evidence Pack (Auditor-Ready)

Collect and retain the following artifacts for US-only audits and examinations (FINRA/SEC/GLBA). Store evidence in a controlled repository with retention aligned to your recordkeeping policy.

  • Identity & Authorization
  • Screenshot/export of FSI-Agent-Makers-* membership (with timestamp)
  • Screenshot/export of FSI-Agent-Publishers-Prod membership (with timestamp)

  • Periodic access review attestations for the above groups (monthly/quarterly per your policy)

  • Environment Configuration (PPAC)

  • Screenshots of environment Security roles showing who has Environment Maker/System Administrator in DEV/UAT/PROD
  • Screenshot of Copilot Studio restriction: “Who can create and edit Copilots: Only specific security groups”
  • Managed Environments “Limit sharing” configuration screenshot

  • Environment region confirmation showing US region (DEV/UAT/PROD)

  • Approvals & Release Gates

  • Approval record (SharePoint list entry or ticket) for each production publish

  • Required attachments: design/data review, connector/DLP confirmation, UAT sign-off, and release authorization

  • Audit Logs & Correlation

  • Microsoft Purview Audit search export showing publish events (publisher identity, timestamp, target)

  • Correlation table (spreadsheet or ticket fields) mapping: agent name/version → publish event → approval/ticket ID → approver(s)

  • Attestation Statement (recommended)

  • A short statement signed by the control owner confirming that:
    • Production publishing is restricted to FSI-Agent-Publishers-Prod
    • All production publishes require documented approval
    • Evidence is retained per policy in US-only repositories

Troubleshooting & Validation

Common Issues

Issue Cause Resolution
"User can still create agents" Security group not applied Verify group membership; check environment security roles
"Authorized user cannot access" Group sync delay Wait 15 minutes; have user sign out and back in
"Publishing events not in audit" Audit not enabled or delay Verify audit is enabled; wait 24-48 hours for new events
"Cannot restrict Copilot Studio" Feature not available Enable Managed Environments first (Control 2.1)
"Sharing still works" Limit sharing not enabled Enable in Managed Environment settings

How to Confirm Configuration is Active

  1. Via Portal (Entra ID):
  2. Navigate to Identity > Groups > Select FSI-Agent-Makers group
  3. Verify correct members are listed

  4. Check no unauthorized users have access

  5. Via Portal (Power Platform):

  6. Navigate to Manage > Environments > Select environment
  7. Go to Settings > Users + permissions > Security roles

  8. Verify Environment Maker role is assigned only to authorized groups

  9. Via User Testing:

  10. Have an unauthorized user attempt to access Copilot Studio
  11. Verify they cannot create or publish agents
  12. Have an authorized user test full workflow

Additional Resources

Control Relationship
2.1 - Managed Environments Enables sharing restrictions and governance features
1.2 - Agent Registry Tracks all published agents
1.7 - Audit Logging Logs all publishing attempts
1.18 - RBAC Broader access control strategy
2.3 - Change Management Approval workflow for promotions

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead (governance direction)
  • Compliance Officer (regulatory requirements)
  • Technical Implementation Team (platform setup)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ✅ Current